Security by obscurity

This simple guide will help you secure your server in indirect way by hiding software versions from possible attackers. This can help you prevent many automated attacks and attacks based on software version number. If a hacker want’s to probe your system for hole he’ll start from collecting all version numbers from your running services. This guide will teach you setup common services not to give away their version numbers. This is called Security by obscurity and it’s not something to rely on but it can lower chances of getting your system hacked.

Apache (Web Server)

Let’s start with Apache first. It’s config file should at path

/etc/httpd/conf/httpd.conf

Open that with an editor of choice. For beginners I always suggest Midnight Commander but if you’re more experienced you can use antother editor like pico or vi. Anyway, in MC open file for editing by pressing F4 while the file is selected.

Locate those two lines and set it as follows. If you cant find them – add them.

ServerSignature Off
ServerTokens Prod

Server Signature will remove the identification of Apache version from error pages, and ServerTokens will identify Apache as “apache” without version number or OS information. Save the file and restart the Apache.

service httpd restart

Named (DNS Server)

Next we will disable named from giving away his version. Open named config file at path

/etc/named.conf

Search for line

query-source address * port 53;

Add a line right below it with add (if it doesn’t exist)

version "Named";

Save and restart named using

service named restart

 

Exim (Email Server)

Next we will disable the version numbers in Exim. If you are not running Exim there is no need to do this section. Exim config is at path

/etc/exim.conf

and if it could not be located, it probably means that you do not use Exim. Search for

smtp_banner = "${primary_hostname}"

This is the welcome message for the email server. You can put anything in here. Here’s a sample message

smtp_banner = "${primary_hostname} MailServer \n\We do not authorize the use of this system to transport unsolicited, \n\and/or bulk e-mail."

Save the config and restart Exim.

service exim restart

Remeber this is just security though obscurity and you still need to keep the server updated! This is just going to stop some people from finding your server in the first place by automated scanning. It will not help at all if somebody is trying to actually hack the server.

 

NOTE:

• This guide will just hide software version numbers from possible hacker. The less they know the weaker they are so Shhhhh!!!!
• Use this information at your risk. I’m not responsible for any damage that may occur by (mis)use of this data.

Source: eth0.us

Related Posts

• How to mount DigitalOcean Space on CentOS 7

• How to backup WHM/cPanel accounts to DigitalOcean Spaces

• How to mount Amazon S3 bucket with Goofys?

• How to disable excessive resource usage alert emails?

• How to instal s3fs-fuse on CentOS 6.8?